This repository has been archived by the owner on May 17, 2024. It is now read-only.
laravel/framework-v5.8.27: 14 vulnerabilities (highest severity is: 9.8) #34
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/f1dccffb96f614895393e27e4667105a05407af5
Found in HEAD commit: e08c0f6f62ab62a514f3671e66af28b5896458cf
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - laravel/framework-v5.8.27
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/f1dccffb96f614895393e27e4667105a05407af5
Dependency Hierarchy:
Found in HEAD commit: e08c0f6f62ab62a514f3671e66af28b5896458cf
Found in base branch: main
Vulnerability Details
Application's using the "cookie" session driver were the primary applications affected by this vulnerability. Since we have not yet released a security release for the Laravel 5.5 version of the framework, we recommend that all applications running Laravel 5.5 and earlier do not use the "cookie" session driver in their production deployments.
Publish Date: 2020-07-27
URL: WS-2020-0144
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2020-0144
Release Date: 2020-07-27
Fix Resolution: laravel/framework - 5.6.x-dev,5.7.x-dev,v6.18.31,5.0.x-dev,5.5.x-dev,5.2.x-dev,4.2.x-dev,5.2.41,6.x-dev,5.3,5.0.30,5.4.x-dev,5.1.x-dev,5.8.x-dev
Vulnerable Library - laravel/framework-v5.8.27
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/f1dccffb96f614895393e27e4667105a05407af5
Dependency Hierarchy:
Found in HEAD commit: e08c0f6f62ab62a514f3671e66af28b5896458cf
Found in base branch: main
Vulnerability Details
Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. NOTE: this CVE Record is for Laravel Framework, and is unrelated to any reports concerning incorrectly written user applications for image upload.
Publish Date: 2021-11-14
URL: CVE-2021-43617
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43617
Release Date: 2021-11-14
Fix Resolution: php-illuminate-session - 6.20.14+dfsg-2+deb11u1;php-illuminate-broadcasting - 6.20.14+dfsg-2+deb11u1;php-illuminate-config - 6.20.14+dfsg-2+deb11u1;php-illuminate-cookie - 6.20.14+dfsg-2+deb11u1;php-laravel-framework - 6.20.14+dfsg-2+deb11u1;php-illuminate-database - 6.20.14+dfsg-2+deb11u1;php-illuminate-translation - 6.20.14+dfsg-2+deb11u1;php-illuminate-support - 6.20.14+dfsg-2+deb11u1;php-illuminate-encryption - 6.20.14+dfsg-2+deb11u1;php-illuminate-hashing - 6.20.14+dfsg-2+deb11u1;php-illuminate-auth - 6.20.14+dfsg-2+deb11u1;php-illuminate-http - 6.20.14+dfsg-2+deb11u1;php-illuminate-mail - 6.20.14+dfsg-2+deb11u1;php-illuminate-view - 6.20.14+dfsg-2+deb11u1;php-illuminate-pipeline - 6.20.14+dfsg-2+deb11u1;php-illuminate-filesystem - 6.20.14+dfsg-2+deb11u1;php-illuminate-validation - 6.20.14+dfsg-2+deb11u1;php-illuminate-container - 6.20.14+dfsg-2+deb11u1;php-illuminate-notifications - 6.20.14+dfsg-2+deb11u1;php-illuminate-cache - 6.20.14+dfsg-2+deb11u1;php-illuminate-contracts - 6.20.14+dfsg-2+deb11u1;php-illuminate-routing - 6.20.14+dfsg-2+deb11u1;php-illuminate-queue - 6.20.14+dfsg-2+deb11u1;php-illuminate-redis - 6.20.14+dfsg-2+deb11u1;php-illuminate-bus - 6.20.14+dfsg-2+deb11u1;php-illuminate-log - 6.20.14+dfsg-2+deb11u1;php-illuminate-console - 6.20.14+dfsg-2+deb11u1;php-illuminate-pagination - 6.20.14+dfsg-2+deb11u1;php-illuminate-events - 6.20.14+dfsg-2+deb11u1
Vulnerable Library - symfony/http-kernel-v4.3.2
The HttpKernel component provides a structured process for converting a Request into a Response.
Dependency Hierarchy:
Found in HEAD commit: e08c0f6f62ab62a514f3671e66af28b5896458cf
Found in base branch: main
Vulnerability Details
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony HTTP cache system, acts as a reverse proxy: It caches entire responses (including headers) and returns them to the clients. In a recent change in the
AbstractSessionListener, the response might contain aSet-Cookieheader. If the Symfony HTTP cache system is enabled, this response might bill stored and return to the next clients. An attacker can use this vulnerability to retrieve the victim's session. This issue has been patched and is available for branch 4.4.Publish Date: 2023-02-03
URL: CVE-2022-24894
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://symfony.com/blog/cve-2022-24894-prevent-storing-cookie-headers-in-httpcache
Release Date: 2022-02-11
Fix Resolution: v4.4.50, v5.4.20, v6.0.20, v6.1.12, v6.2.6
Vulnerable Library - league/flysystem-1.0.53
Abstraction for local and remote filesystems
Dependency Hierarchy:
Found in HEAD commit: e08c0f6f62ab62a514f3671e66af28b5896458cf
Found in base branch: main
Vulnerability Details
Flysystem is an open source file storage library for PHP. The whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely. The conditions are: A user is allowed to supply the path or filename of an uploaded file, the supplied path or filename is not checked against unicode chars, the supplied pathname checked against an extension deny-list, not an allow-list, the supplied path or filename contains a unicode whitespace char in the extension, the uploaded file is stored in a directory that allows PHP code to be executed. Given these conditions are met a user can upload and execute arbitrary code on the system under attack. The unicode whitespace removal has been replaced with a rejection (exception). For 1.x users, upgrade to 1.1.4. For 2.x users, upgrade to 2.1.1.
Publish Date: 2021-06-24
URL: CVE-2021-32708
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-9f46-5r25-5wfm
Release Date: 2021-06-24
Fix Resolution: 1.1.4,2.1.1
Vulnerable Library - symfony/http-kernel-v4.3.2
The HttpKernel component provides a structured process for converting a Request into a Response.
Dependency Hierarchy:
Found in HEAD commit: e08c0f6f62ab62a514f3671e66af28b5896458cf
Found in base branch: main
Vulnerability Details
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.
Publish Date: 2019-11-21
URL: CVE-2019-18887
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://symfony.com/blog/symfony-4-3-8-released
Release Date: 2019-11-21
Fix Resolution: 2.8.52, 3.4.35, 4.2.12, 4.3.8
Vulnerable Library - laravel/framework-v5.8.27
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/f1dccffb96f614895393e27e4667105a05407af5
Dependency Hierarchy:
Found in HEAD commit: e08c0f6f62ab62a514f3671e66af28b5896458cf
Found in base branch: main
Vulnerability Details
RCE vulnerability in "cookie" session driver
Publish Date: 2020-07-27
URL: WS-2020-0139
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://packagist.org/packages/illuminate/cookie#v7.22.4
Release Date: 2020-07-27
Fix Resolution: 5.5.x-dev, 5.6.x-dev,5.7.x-dev, 5.8.x-dev,v6.18.31,v7.22.4
Vulnerable Library - guzzlehttp/psr7-1.6.1
PSR-7 HTTP message library
Dependency Hierarchy:
Found in HEAD commit: e08c0f6f62ab62a514f3671e66af28b5896458cf
Found in base branch: main
Vulnerability Details
guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds.
Publish Date: 2022-03-21
URL: CVE-2022-24775
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-q7rv-6hp3-vh96
Release Date: 2022-03-21
Fix Resolution: 1.8.4,2.1.1
Vulnerable Library - laravel/framework-v5.8.27
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/f1dccffb96f614895393e27e4667105a05407af5
Dependency Hierarchy:
Found in HEAD commit: e08c0f6f62ab62a514f3671e66af28b5896458cf
Found in base branch: main
Vulnerability Details
An issue was discovered in Laravel before 6.18.35 and 7.x before 7.24.0. The $guarded property is mishandled in some situations involving requests with JSON column nesting expressions.
Publish Date: 2020-09-04
URL: CVE-2020-24941
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-w68r-5p45-5rqp
Release Date: 2020-09-11
Fix Resolution: v6.18.35,v7.24.0
Vulnerable Libraries - symfony/mime-v4.3.2, symfony/http-foundation-v4.3.2
symfony/mime-v4.3.2
A library to manipulate MIME messages
Library home page: https://api.github.com/repos/symfony/mime/zipball/ec2c5565de60e03f33d4296a655e3273f0ad1f8b
Dependency Hierarchy:
symfony/http-foundation-v4.3.2
Symfony HttpFoundation Component
Library home page: https://api.github.com/repos/symfony/http-foundation/zipball/e1b507fcfa4e87d192281774b5ecd4265370180d
Dependency Hierarchy:
Found in HEAD commit: e08c0f6f62ab62a514f3671e66af28b5896458cf
Found in base branch: main
Vulnerability Details
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x).
Publish Date: 2019-11-21
URL: CVE-2019-18888
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://symfony.com/blog/cve-2019-18888-prevent-argument-injection-in-a-mimetypeguesser
Release Date: 2019-11-21
Fix Resolution: v2.8.52,v3.4.35,v4.2.12,v4.3.8
Vulnerable Library - laravel/framework-v5.8.27
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/f1dccffb96f614895393e27e4667105a05407af5
Dependency Hierarchy:
Found in HEAD commit: e08c0f6f62ab62a514f3671e66af28b5896458cf
Found in base branch: main
Vulnerability Details
Laravel is a web application framework. Versions of Laravel before 6.20.14, 7.30.4 and 8.24.0 contain a query binding exploitation.
If a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the query builder, an unexpected number of query bindings can be added to the query. In some situations, this will simply lead to no results being returned by the query builder; however, it is possible certain queries could be affected in a way that causes the query to return unexpected results.
Publish Date: 2021-02-02
URL: WS-2021-0013
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-x7p5-p2c9-phvg
Release Date: 2021-02-02
Fix Resolution: laravel/framework - 6.20.14, 7.30.4, 8.24.0
Vulnerable Library - laravel/framework-v5.8.27
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/f1dccffb96f614895393e27e4667105a05407af5
Dependency Hierarchy:
Found in HEAD commit: e08c0f6f62ab62a514f3671e66af28b5896458cf
Found in base branch: main
Vulnerability Details
Laravel is a web application framework. Laravel prior to versions 8.75.0, 7.30.6, and 6.20.42 contain a possible cross-site scripting (XSS) vulnerability in the Blade templating engine. A broken HTML element may be clicked and the user taken to another location in their browser due to XSS. This is due to the user being able to guess the parent placeholder SHA-1 hash by trying common names of sections. If the parent template contains an exploitable HTML structure an XSS vulnerability can be exposed. This vulnerability has been patched in versions 8.75.0, 7.30.6, and 6.20.42 by determining the parent placeholder at runtime and using a random hash that is unique to each request.
Publish Date: 2021-12-08
URL: CVE-2021-43808
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-66hf-2p6w-jqfw
Release Date: 2021-12-08
Fix Resolution: v6.20.42, v7.30.6, v8.75.0
Vulnerable Library - laravel/framework-v5.8.27
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/f1dccffb96f614895393e27e4667105a05407af5
Dependency Hierarchy:
Found in HEAD commit: e08c0f6f62ab62a514f3671e66af28b5896458cf
Found in base branch: main
Vulnerability Details
Those using SQL Server with Laravel and allowing user input to be passed directly to the limit and offset functions are vulnerable to SQL injection. Other database drivers such as MySQL and Postgres are not affected by this vulnerability.
This problem has been patched on Laravel versions 6.20.26 and 8.40.0.
Publish Date: 2021-04-30
URL: WS-2021-0079
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-4mg9-vhxq-vm7j
Release Date: 2021-04-30
Fix Resolution: lluminate/database - 6.20.26, 7.30.5, 8.40.0;laravel/framework - 6.20.26, 7.30.5, 8.40.0
Vulnerable Library - laravel/framework-v5.8.27
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/f1dccffb96f614895393e27e4667105a05407af5
Dependency Hierarchy:
Found in HEAD commit: e08c0f6f62ab62a514f3671e66af28b5896458cf
Found in base branch: main
Vulnerability Details
Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies to the illuminate/database package which is used by Laravel. If a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the query builder, an unexpected number of query bindings can be added to the query. In some situations, this will simply lead to no results being returned by the query builder; however, it is possible certain queries could be affected in a way that causes the query to return unexpected results.
Publish Date: 2021-01-19
URL: CVE-2021-21263
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-3p32-j457-pg5x
Release Date: 2021-01-19
Fix Resolution: v6.20.11,v7.30.2,v8.22.1
Vulnerable Library - symfony/http-foundation-v4.3.2
Symfony HttpFoundation Component
Library home page: https://api.github.com/repos/symfony/http-foundation/zipball/e1b507fcfa4e87d192281774b5ecd4265370180d
Dependency Hierarchy:
Found in HEAD commit: e08c0f6f62ab62a514f3671e66af28b5896458cf
Found in base branch: main
Vulnerability Details
In Symfony before versions 4.4.7 and 5.0.7, when a
Responsedoes not contain aContent-Typeheader, affected versions of Symfony can fallback to the format defined in theAcceptheader of the request, leading to a possible mismatch between the response's content andContent-Typeheader. When the response is cached, this can prevent the use of the website by other users. This has been patched in versions 4.4.7 and 5.0.7.Publish Date: 2020-03-30
URL: CVE-2020-5255
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5255
Release Date: 2020-03-30
Fix Resolution: 4.4.7,5.0.7
The text was updated successfully, but these errors were encountered: